Index: head/security/hpn-ssh/Makefile =================================================================== --- head/security/hpn-ssh/Makefile (revision 118777) +++ head/security/hpn-ssh/Makefile (revision 118778) @@ -1,163 +1,167 @@ # New ports collection makefile for: openssh # Date created: 18 Mar 1999 # Whom: dwcjr@inethouston.net # # $FreeBSD$ # PORTNAME= openssh PORTVERSION= 3.9.0.1 .if defined(OPENSSH_SNAPSHOT) PORTREVISION!= date -v-1d +%Y%m%d .endif PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \ ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ PKGNAMESUFFIX?= ${PORTABLE_SUFFIX}${GSSAPI_SUFFIX}${BASE_SUFFIX}${PKGNAMESUFFIX2} MASTER_SITE_SUBDIR= ${MASTER_SITE_SUBDIR2} DISTNAME= ${DISTNAME2} MAINTAINER= dinoex@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH OPENSSHVERSION= 3.9p1 .if defined(OPENSSH_SNAPSHOT) MASTER_SITE_SUBDIR2= snapshot/ DISTNAME2= ${PORTNAME}-SNAP-${PORTREVISION} NO_CHECKSUM= yes WRKSRC= ${WRKDIR}/${PORTNAME} .else MASTER_SITE_SUBDIR2= DISTNAME2= ${PORTNAME}-${OPENSSHVERSION} WRKSRC= ${WRKDIR}/${PORTNAME}-${OPENSSHVERSION} .endif MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1 MLINKS= ssh.1 slogin.1 MAN5= ssh_config.5 sshd_config.5 MAN8= sftp-server.8 sshd.8 ssh-keysign.8 CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* USE_OPENSSL= yes CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto GNU_CONFIGURE= yes USE_REINPLACE= yes USE_PERL5_BUILD= yes CONFIGURE_ARGS+= --prefix=${PREFIX} --with-md5-passwords PRECIOUS= ssh_config sshd_config \ ssh_host_key ssh_host_key.pub \ ssh_host_rsa_key ssh_host_rsa_key.pub \ ssh_host_dsa_key ssh_host_dsa_key.pub ETCOLD= ${PREFIX}/etc PORTABLE_SUFFIX= -portable .if exists(/usr/include/security/pam_modules.h) CONFIGURE_ARGS+= --with-pam .endif .if exists(/usr/include/tcpd.h) CONFIGURE_ARGS+= --with-tcp-wrappers .endif .if !defined(ENABLE_SUID_SSH) CONFIGURE_ARGS+= --disable-suid-ssh .endif .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI) PORTABLE_SUFFIX= GSSAPI_SUFFIX= -gssapi CONFLICTS+= openssh-portable-* CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME} .else CONFLICTS+= openssh-gssapi-* .if !defined(WITHOUT_KERBEROS) && exists(/usr/include/krb5.h) CONFIGURE_ARGS+= --with-kerberos5 EXTRA_PATCHES+= ${FILESDIR}/gss-serv.c.patch .endif .endif .if defined(BATCH) EXTRA_PATCHES+= ${FILESDIR}/batch.patch .endif +.if defined(WITH_OPENSSH_CHROOT) +CFLAGS+= -DCHROOT +.endif + .if defined(OPENSSH_OVERWRITE_BASE) WITH_OPENSSL_BASE= yes BASE_SUFFIX= -overwrite-base PREFIX= /usr MANPREFIX= ${PREFIX}/share CONFIGURE_ARGS+= --mandir=${MANPREFIX}/man --localstatedir=/var EMPTYDIR= /var/empty ETCSSH= /etc/ssh PLIST_SUB+= NOTBASE="@comment " PLIST_SUB+= BASE="" PKGMESSAGE= pkg-message.empty .else .if exists(/var/empty) EMPTYDIR= /var/empty .else EMPTYDIR= ${PREFIX}/empty .endif ETCSSH= ${PREFIX}/etc/ssh PLIST_SUB+= NOTBASE="" PLIST_SUB+= BASE="@comment " .endif PLIST_SUB+= EMPTYDIR=${EMPTYDIR} CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} CONFIGURE_ARGS+= --with-privsep-path=${EMPTYDIR} post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure post-configure: ${SED} -e 's:__PREFIX__:${PREFIX}:g' \ ${FILESDIR}/sshd.sh > ${WRKSRC}/sshd.sh pre-install: .if defined(OPENSSH_OVERWRITE_BASE) -${MKDIR} ${EMPTYDIR} .else -${MKDIR} ${PREFIX}/empty .endif if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \ -h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi -@[ ! -d ${ETCSSH} ] && ${MKDIR} ${ETCSSH} .for i in ${PRECIOUS} -@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \ ${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \ ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i} .endfor post-install: .if !defined(OPENSSH_OVERWRITE_BASE) ${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample .endif ${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist ${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist .if !defined(OPENSSH_OVERWRITE_BASE) @${CAT} ${PKGMESSAGE} .endif test: (cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} \ TEST_SHELL=/bin/sh \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} ) .include SUDO?= MAKE_ENV+= SUDO="${SUDO}" .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI) .if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= .endif .else CONFIGURE_ARGS+= --with-rpath=${OPENSSLRPATH} .endif CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .include Property changes on: head/security/hpn-ssh/Makefile ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.92 \ No newline at end of property +1.93 \ No newline at end of property Index: head/security/hpn-ssh/files/patch-session.c =================================================================== --- head/security/hpn-ssh/files/patch-session.c (revision 118777) +++ head/security/hpn-ssh/files/patch-session.c (revision 118778) @@ -1,315 +1,349 @@ ---- session.c.orig Tue Sep 23 10:59:08 2003 -+++ session.c Tue Sep 23 17:29:31 2003 -@@ -62,6 +62,11 @@ +--- session.c.orig Thu Aug 12 14:40:25 2004 ++++ session.c Tue Sep 21 19:48:42 2004 +@@ -66,6 +66,11 @@ #include "ssh-gss.h" #endif +#ifdef __FreeBSD__ +#include +#define _PATH_CHPASS "/usr/bin/passwd" +#endif /* __FreeBSD__ */ + /* func */ Session *session_new(void); -@@ -411,6 +416,13 @@ +@@ -410,6 +415,13 @@ log_init(__progname, options.log_level, options.log_facility, log_stderr); /* + * Using login and executing a specific "command" are mutually + * exclusive, so turn off use_login if there's a command. + */ + if (command != NULL) + options.use_login = 0; + + /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. */ -@@ -516,6 +528,9 @@ +@@ -526,6 +538,9 @@ { int fdout, ptyfd, ttyfd, ptymaster; pid_t pid; +#if defined(USE_PAM) + const char *shorttty; +#endif if (s == NULL) fatal("do_exec_pty: no session"); -@@ -535,6 +550,14 @@ +@@ -546,6 +561,14 @@ /* Child. Reinitialize the log because the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); + + /* + * Using login and executing a specific "command" are mutually + * exclusive, so turn off use_login if there's a command. + */ + if (command != NULL) + options.use_login = 0; + /* Close the master side of the pseudo tty. */ close(ptyfd); -@@ -676,6 +699,18 @@ +@@ -692,6 +715,18 @@ struct sockaddr_storage from; struct passwd * pw = s->pw; pid_t pid = getpid(); +#ifdef HAVE_LOGIN_CAP + FILE *f; + char buf[256]; + char *fname; + const char *shorttty; +#endif /* HAVE_LOGIN_CAP */ +#ifdef __FreeBSD__ +#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ + char *newcommand; + struct timeval tv; + time_t warntime = DEFAULT_WARN; +#endif /* __FreeBSD__ */ /* * Get IP address of client. If the connection is not a socket, let -@@ -710,6 +745,72 @@ +@@ -727,12 +762,101 @@ } #endif +#ifdef __FreeBSD__ + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tv, NULL); +#ifdef HAVE_LOGIN_CAP + warntime = login_getcaptime(lc, "warnpassword", + DEFAULT_WARN, DEFAULT_WARN); +#endif /* HAVE_LOGIN_CAP */ + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + logit("%s Password expired - forcing change", + pw->pw_name); + if (newcommand != NULL) + xfree(newcommand); + newcommand = xstrdup(_PATH_CHPASS); + } else if (pw->pw_change - tv.tv_sec < warntime && + !check_quietlogin(s, command)) + (void)printf( + "Warning: your password expires on %s", + ctime(&pw->pw_change)); + } + +#ifndef USE_PAM + if (pw->pw_expire) { + if (tv.tv_sec >= pw->pw_expire) { + (void)printf( + "Sorry -- your account has expired.\n"); + logit( + "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s", + pw->pw_name, get_remote_name_or_ip(utmp_len, + options.use_dns), s->tty); + exit(254); + } else if (pw->pw_expire - tv.tv_sec < warntime && + !check_quietlogin(s, command)) + (void)printf( + "Warning: your account expires on %s", + ctime(&pw->pw_expire)); + } +#endif /* !USE_PAM */ +#endif /* __FreeBSD__ */ + +#ifdef HAVE_LOGIN_CAP + /* check if we have a pathname in the ttyname */ + shorttty = rindex( s->tty, '/' ); + if (shorttty != NULL ) { + /* use only the short filename to check */ + shorttty ++; + } else { + /* nothing found, use the whole name found */ + shorttty = s->tty; + } + if (!auth_ttyok(lc, shorttty)) { + (void)printf("Permission denied.\n"); + logit( + "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", + pw->pw_name, get_remote_name_or_ip(utmp_len, + options.use_dns), s->tty); + exit(254); + } +#endif /* HAVE_LOGIN_CAP */ + if (check_quietlogin(s, command)) return; -@@ -738,7 +849,30 @@ - } - #endif /* NO_SSH_LASTLOG */ + display_loginmsg(); - do_motd(); +#ifdef HAVE_LOGIN_CAP + if (command == NULL && + !options.use_login) { + fname = login_getcapstr(lc, "copyright", NULL, NULL); + if (fname != NULL && (f = fopen(fname, "r")) != NULL) { + while (fgets(buf, sizeof(buf), f) != NULL) + fputs(buf, stdout); + fclose(f); + } else + (void)printf("%s\n\t%s %s\n", + "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", + "The Regents of the University of California. ", + "All rights reserved."); + } +#endif /* HAVE_LOGIN_CAP */ + + /* + * Print /etc/motd unless a command was specified or printing + * it was disabled in server options or login(1) will be + * used. Note that some machines appear to print it in + * /etc/profile or similar. + */ + if (command == NULL && !options.use_login) + do_motd(); } /* -@@ -754,9 +888,9 @@ +@@ -748,9 +872,9 @@ #ifdef HAVE_LOGIN_CAP f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r"); -#else +#else /* !HAVE_LOGIN_CAP */ f = fopen("/etc/motd", "r"); -#endif +#endif /* HAVE_LOGIN_CAP */ if (f) { while (fgets(buf, sizeof(buf), f)) fputs(buf, stdout); -@@ -783,10 +917,10 @@ +@@ -777,10 +901,10 @@ #ifdef HAVE_LOGIN_CAP if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) return 1; -#else +#else /* HAVE_LOGIN_CAP */ if (stat(buf, &st) >= 0) return 1; -#endif +#endif /* HAVE_LOGIN_CAP */ return 0; } -@@ -973,6 +1107,10 @@ +@@ -967,6 +1091,10 @@ char buf[256]; u_int i, envsize; char **env, *laddr, *path = NULL; +#ifdef HAVE_LOGIN_CAP + extern char **environ; + char **senv, **var; +#endif /* HAVE_LOGIN_CAP */ struct passwd *pw = s->pw; /* Initialize the environment. */ -@@ -980,6 +1118,9 @@ +@@ -974,6 +1102,9 @@ env = xmalloc(envsize * sizeof(char *)); env[0] = NULL; + /* Moved up to resove confict with gsssapi patches */ + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); #ifdef HAVE_CYGWIN /* * The Windows environment contains some setting which are -@@ -1034,9 +1175,21 @@ +@@ -1032,9 +1163,21 @@ /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); +#ifdef HAVE_LOGIN_CAP + senv = environ; + environ = xmalloc(sizeof(char *)); + *environ = NULL; + if (setusercontext(lc, pw, pw->pw_uid, + LOGIN_SETENV|LOGIN_SETPATH) < 0) { + perror("unable to set user context enviroment"); + } + copy_environment(environ, &env, &envsize); + for (var = environ; *var != NULL; ++var) + xfree(*var); + xfree(environ); + environ = senv; +#endif /* HAVE_LOGIN_CAP */ } - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); /* Set custom environment options from RSA authentication. */ if (!options.use_login) { -@@ -1245,7 +1398,7 @@ - setpgid(0, 0); - # endif +@@ -1234,6 +1377,12 @@ + void + do_setusercontext(struct passwd *pw) + { ++ ++#ifdef CHROOT ++ char *user_dir; ++ char *new_root; ++#endif /* CHROOT */ ++ + #ifndef HAVE_CYGWIN + if (getuid() == 0 || geteuid() == 0) + #endif /* HAVE_CYGWIN */ +@@ -1254,10 +1403,30 @@ + } + # endif /* USE_PAM */ if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) { ++ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); exit(1); } -@@ -1275,7 +1428,16 @@ ++#ifdef CHROOT ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; ++ ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory %s", user_dir); ++ pw->pw_dir = new_root; ++ break; ++ } ++ ++ new_root += 2; ++ } ++#endif /* CHROOT */ ++ permanently_set_uid(pw); + #else + # if defined(HAVE_GETLUID) && defined(HAVE_SETLUID) + /* Sets login uid for accounting */ +@@ -1284,7 +1453,16 @@ * Reestablish them here. */ if (options.use_pam) { - do_pam_session(); + /* check if we have a pathname in the ttyname */ + shorttty = rindex( s->tty, '/' ); + if (shorttty != NULL ) { + /* use only the short filename to check */ + shorttty ++; + } else { + /* nothing found, use the whole name found */ + shorttty = s->tty; + } + do_pam_session(s->pw->pw_name, shorttty); do_pam_setcred(0); } # endif /* USE_PAM */ -@@ -1411,7 +1573,7 @@ +@@ -1374,7 +1552,7 @@ * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ - for (i = 3; i < 64; i++) + for (i = 3; i < getdtablesize(); i++) close(i); + } - /* -@@ -1429,6 +1591,31 @@ +@@ -1503,6 +1681,31 @@ exit(1); #endif } + +#ifdef __FreeBSD__ + if (!options.use_login) { + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + syslog(LOG_INFO, + "%s Password expired - forcing change", + pw->pw_name); + if (system("/usr/bin/passwd") != 0) { + perror("/usr/bin/passwd"); + exit(1); + } + } + } + } +#endif /* __FreeBSD__ */ if (!options.use_login) do_rc_files(s, shell); Property changes on: head/security/hpn-ssh/files/patch-session.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.18 \ No newline at end of property +1.19 \ No newline at end of property Index: head/security/openssh-portable/Makefile =================================================================== --- head/security/openssh-portable/Makefile (revision 118777) +++ head/security/openssh-portable/Makefile (revision 118778) @@ -1,163 +1,167 @@ # New ports collection makefile for: openssh # Date created: 18 Mar 1999 # Whom: dwcjr@inethouston.net # # $FreeBSD$ # PORTNAME= openssh PORTVERSION= 3.9.0.1 .if defined(OPENSSH_SNAPSHOT) PORTREVISION!= date -v-1d +%Y%m%d .endif PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \ ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ PKGNAMESUFFIX?= ${PORTABLE_SUFFIX}${GSSAPI_SUFFIX}${BASE_SUFFIX}${PKGNAMESUFFIX2} MASTER_SITE_SUBDIR= ${MASTER_SITE_SUBDIR2} DISTNAME= ${DISTNAME2} MAINTAINER= dinoex@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH OPENSSHVERSION= 3.9p1 .if defined(OPENSSH_SNAPSHOT) MASTER_SITE_SUBDIR2= snapshot/ DISTNAME2= ${PORTNAME}-SNAP-${PORTREVISION} NO_CHECKSUM= yes WRKSRC= ${WRKDIR}/${PORTNAME} .else MASTER_SITE_SUBDIR2= DISTNAME2= ${PORTNAME}-${OPENSSHVERSION} WRKSRC= ${WRKDIR}/${PORTNAME}-${OPENSSHVERSION} .endif MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1 MLINKS= ssh.1 slogin.1 MAN5= ssh_config.5 sshd_config.5 MAN8= sftp-server.8 sshd.8 ssh-keysign.8 CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* USE_OPENSSL= yes CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto GNU_CONFIGURE= yes USE_REINPLACE= yes USE_PERL5_BUILD= yes CONFIGURE_ARGS+= --prefix=${PREFIX} --with-md5-passwords PRECIOUS= ssh_config sshd_config \ ssh_host_key ssh_host_key.pub \ ssh_host_rsa_key ssh_host_rsa_key.pub \ ssh_host_dsa_key ssh_host_dsa_key.pub ETCOLD= ${PREFIX}/etc PORTABLE_SUFFIX= -portable .if exists(/usr/include/security/pam_modules.h) CONFIGURE_ARGS+= --with-pam .endif .if exists(/usr/include/tcpd.h) CONFIGURE_ARGS+= --with-tcp-wrappers .endif .if !defined(ENABLE_SUID_SSH) CONFIGURE_ARGS+= --disable-suid-ssh .endif .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI) PORTABLE_SUFFIX= GSSAPI_SUFFIX= -gssapi CONFLICTS+= openssh-portable-* CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME} .else CONFLICTS+= openssh-gssapi-* .if !defined(WITHOUT_KERBEROS) && exists(/usr/include/krb5.h) CONFIGURE_ARGS+= --with-kerberos5 EXTRA_PATCHES+= ${FILESDIR}/gss-serv.c.patch .endif .endif .if defined(BATCH) EXTRA_PATCHES+= ${FILESDIR}/batch.patch .endif +.if defined(WITH_OPENSSH_CHROOT) +CFLAGS+= -DCHROOT +.endif + .if defined(OPENSSH_OVERWRITE_BASE) WITH_OPENSSL_BASE= yes BASE_SUFFIX= -overwrite-base PREFIX= /usr MANPREFIX= ${PREFIX}/share CONFIGURE_ARGS+= --mandir=${MANPREFIX}/man --localstatedir=/var EMPTYDIR= /var/empty ETCSSH= /etc/ssh PLIST_SUB+= NOTBASE="@comment " PLIST_SUB+= BASE="" PKGMESSAGE= pkg-message.empty .else .if exists(/var/empty) EMPTYDIR= /var/empty .else EMPTYDIR= ${PREFIX}/empty .endif ETCSSH= ${PREFIX}/etc/ssh PLIST_SUB+= NOTBASE="" PLIST_SUB+= BASE="@comment " .endif PLIST_SUB+= EMPTYDIR=${EMPTYDIR} CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} CONFIGURE_ARGS+= --with-privsep-path=${EMPTYDIR} post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure post-configure: ${SED} -e 's:__PREFIX__:${PREFIX}:g' \ ${FILESDIR}/sshd.sh > ${WRKSRC}/sshd.sh pre-install: .if defined(OPENSSH_OVERWRITE_BASE) -${MKDIR} ${EMPTYDIR} .else -${MKDIR} ${PREFIX}/empty .endif if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \ -h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi -@[ ! -d ${ETCSSH} ] && ${MKDIR} ${ETCSSH} .for i in ${PRECIOUS} -@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \ ${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \ ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i} .endfor post-install: .if !defined(OPENSSH_OVERWRITE_BASE) ${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample .endif ${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist ${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist .if !defined(OPENSSH_OVERWRITE_BASE) @${CAT} ${PKGMESSAGE} .endif test: (cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} \ TEST_SHELL=/bin/sh \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} ) .include SUDO?= MAKE_ENV+= SUDO="${SUDO}" .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI) .if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= .endif .else CONFIGURE_ARGS+= --with-rpath=${OPENSSLRPATH} .endif CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .include Property changes on: head/security/openssh-portable/Makefile ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.92 \ No newline at end of property +1.93 \ No newline at end of property Index: head/security/openssh-portable/files/patch-session.c =================================================================== --- head/security/openssh-portable/files/patch-session.c (revision 118777) +++ head/security/openssh-portable/files/patch-session.c (revision 118778) @@ -1,315 +1,349 @@ ---- session.c.orig Tue Sep 23 10:59:08 2003 -+++ session.c Tue Sep 23 17:29:31 2003 -@@ -62,6 +62,11 @@ +--- session.c.orig Thu Aug 12 14:40:25 2004 ++++ session.c Tue Sep 21 19:48:42 2004 +@@ -66,6 +66,11 @@ #include "ssh-gss.h" #endif +#ifdef __FreeBSD__ +#include +#define _PATH_CHPASS "/usr/bin/passwd" +#endif /* __FreeBSD__ */ + /* func */ Session *session_new(void); -@@ -411,6 +416,13 @@ +@@ -410,6 +415,13 @@ log_init(__progname, options.log_level, options.log_facility, log_stderr); /* + * Using login and executing a specific "command" are mutually + * exclusive, so turn off use_login if there's a command. + */ + if (command != NULL) + options.use_login = 0; + + /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. */ -@@ -516,6 +528,9 @@ +@@ -526,6 +538,9 @@ { int fdout, ptyfd, ttyfd, ptymaster; pid_t pid; +#if defined(USE_PAM) + const char *shorttty; +#endif if (s == NULL) fatal("do_exec_pty: no session"); -@@ -535,6 +550,14 @@ +@@ -546,6 +561,14 @@ /* Child. Reinitialize the log because the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); + + /* + * Using login and executing a specific "command" are mutually + * exclusive, so turn off use_login if there's a command. + */ + if (command != NULL) + options.use_login = 0; + /* Close the master side of the pseudo tty. */ close(ptyfd); -@@ -676,6 +699,18 @@ +@@ -692,6 +715,18 @@ struct sockaddr_storage from; struct passwd * pw = s->pw; pid_t pid = getpid(); +#ifdef HAVE_LOGIN_CAP + FILE *f; + char buf[256]; + char *fname; + const char *shorttty; +#endif /* HAVE_LOGIN_CAP */ +#ifdef __FreeBSD__ +#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ + char *newcommand; + struct timeval tv; + time_t warntime = DEFAULT_WARN; +#endif /* __FreeBSD__ */ /* * Get IP address of client. If the connection is not a socket, let -@@ -710,6 +745,72 @@ +@@ -727,12 +762,101 @@ } #endif +#ifdef __FreeBSD__ + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tv, NULL); +#ifdef HAVE_LOGIN_CAP + warntime = login_getcaptime(lc, "warnpassword", + DEFAULT_WARN, DEFAULT_WARN); +#endif /* HAVE_LOGIN_CAP */ + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + logit("%s Password expired - forcing change", + pw->pw_name); + if (newcommand != NULL) + xfree(newcommand); + newcommand = xstrdup(_PATH_CHPASS); + } else if (pw->pw_change - tv.tv_sec < warntime && + !check_quietlogin(s, command)) + (void)printf( + "Warning: your password expires on %s", + ctime(&pw->pw_change)); + } + +#ifndef USE_PAM + if (pw->pw_expire) { + if (tv.tv_sec >= pw->pw_expire) { + (void)printf( + "Sorry -- your account has expired.\n"); + logit( + "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s", + pw->pw_name, get_remote_name_or_ip(utmp_len, + options.use_dns), s->tty); + exit(254); + } else if (pw->pw_expire - tv.tv_sec < warntime && + !check_quietlogin(s, command)) + (void)printf( + "Warning: your account expires on %s", + ctime(&pw->pw_expire)); + } +#endif /* !USE_PAM */ +#endif /* __FreeBSD__ */ + +#ifdef HAVE_LOGIN_CAP + /* check if we have a pathname in the ttyname */ + shorttty = rindex( s->tty, '/' ); + if (shorttty != NULL ) { + /* use only the short filename to check */ + shorttty ++; + } else { + /* nothing found, use the whole name found */ + shorttty = s->tty; + } + if (!auth_ttyok(lc, shorttty)) { + (void)printf("Permission denied.\n"); + logit( + "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", + pw->pw_name, get_remote_name_or_ip(utmp_len, + options.use_dns), s->tty); + exit(254); + } +#endif /* HAVE_LOGIN_CAP */ + if (check_quietlogin(s, command)) return; -@@ -738,7 +849,30 @@ - } - #endif /* NO_SSH_LASTLOG */ + display_loginmsg(); - do_motd(); +#ifdef HAVE_LOGIN_CAP + if (command == NULL && + !options.use_login) { + fname = login_getcapstr(lc, "copyright", NULL, NULL); + if (fname != NULL && (f = fopen(fname, "r")) != NULL) { + while (fgets(buf, sizeof(buf), f) != NULL) + fputs(buf, stdout); + fclose(f); + } else + (void)printf("%s\n\t%s %s\n", + "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", + "The Regents of the University of California. ", + "All rights reserved."); + } +#endif /* HAVE_LOGIN_CAP */ + + /* + * Print /etc/motd unless a command was specified or printing + * it was disabled in server options or login(1) will be + * used. Note that some machines appear to print it in + * /etc/profile or similar. + */ + if (command == NULL && !options.use_login) + do_motd(); } /* -@@ -754,9 +888,9 @@ +@@ -748,9 +872,9 @@ #ifdef HAVE_LOGIN_CAP f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r"); -#else +#else /* !HAVE_LOGIN_CAP */ f = fopen("/etc/motd", "r"); -#endif +#endif /* HAVE_LOGIN_CAP */ if (f) { while (fgets(buf, sizeof(buf), f)) fputs(buf, stdout); -@@ -783,10 +917,10 @@ +@@ -777,10 +901,10 @@ #ifdef HAVE_LOGIN_CAP if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) return 1; -#else +#else /* HAVE_LOGIN_CAP */ if (stat(buf, &st) >= 0) return 1; -#endif +#endif /* HAVE_LOGIN_CAP */ return 0; } -@@ -973,6 +1107,10 @@ +@@ -967,6 +1091,10 @@ char buf[256]; u_int i, envsize; char **env, *laddr, *path = NULL; +#ifdef HAVE_LOGIN_CAP + extern char **environ; + char **senv, **var; +#endif /* HAVE_LOGIN_CAP */ struct passwd *pw = s->pw; /* Initialize the environment. */ -@@ -980,6 +1118,9 @@ +@@ -974,6 +1102,9 @@ env = xmalloc(envsize * sizeof(char *)); env[0] = NULL; + /* Moved up to resove confict with gsssapi patches */ + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); #ifdef HAVE_CYGWIN /* * The Windows environment contains some setting which are -@@ -1034,9 +1175,21 @@ +@@ -1032,9 +1163,21 @@ /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); +#ifdef HAVE_LOGIN_CAP + senv = environ; + environ = xmalloc(sizeof(char *)); + *environ = NULL; + if (setusercontext(lc, pw, pw->pw_uid, + LOGIN_SETENV|LOGIN_SETPATH) < 0) { + perror("unable to set user context enviroment"); + } + copy_environment(environ, &env, &envsize); + for (var = environ; *var != NULL; ++var) + xfree(*var); + xfree(environ); + environ = senv; +#endif /* HAVE_LOGIN_CAP */ } - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); /* Set custom environment options from RSA authentication. */ if (!options.use_login) { -@@ -1245,7 +1398,7 @@ - setpgid(0, 0); - # endif +@@ -1234,6 +1377,12 @@ + void + do_setusercontext(struct passwd *pw) + { ++ ++#ifdef CHROOT ++ char *user_dir; ++ char *new_root; ++#endif /* CHROOT */ ++ + #ifndef HAVE_CYGWIN + if (getuid() == 0 || geteuid() == 0) + #endif /* HAVE_CYGWIN */ +@@ -1254,10 +1403,30 @@ + } + # endif /* USE_PAM */ if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) { ++ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); exit(1); } -@@ -1275,7 +1428,16 @@ ++#ifdef CHROOT ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; ++ ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory %s", user_dir); ++ pw->pw_dir = new_root; ++ break; ++ } ++ ++ new_root += 2; ++ } ++#endif /* CHROOT */ ++ permanently_set_uid(pw); + #else + # if defined(HAVE_GETLUID) && defined(HAVE_SETLUID) + /* Sets login uid for accounting */ +@@ -1284,7 +1453,16 @@ * Reestablish them here. */ if (options.use_pam) { - do_pam_session(); + /* check if we have a pathname in the ttyname */ + shorttty = rindex( s->tty, '/' ); + if (shorttty != NULL ) { + /* use only the short filename to check */ + shorttty ++; + } else { + /* nothing found, use the whole name found */ + shorttty = s->tty; + } + do_pam_session(s->pw->pw_name, shorttty); do_pam_setcred(0); } # endif /* USE_PAM */ -@@ -1411,7 +1573,7 @@ +@@ -1374,7 +1552,7 @@ * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ - for (i = 3; i < 64; i++) + for (i = 3; i < getdtablesize(); i++) close(i); + } - /* -@@ -1429,6 +1591,31 @@ +@@ -1503,6 +1681,31 @@ exit(1); #endif } + +#ifdef __FreeBSD__ + if (!options.use_login) { + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + syslog(LOG_INFO, + "%s Password expired - forcing change", + pw->pw_name); + if (system("/usr/bin/passwd") != 0) { + perror("/usr/bin/passwd"); + exit(1); + } + } + } + } +#endif /* __FreeBSD__ */ if (!options.use_login) do_rc_files(s, shell); Property changes on: head/security/openssh-portable/files/patch-session.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.18 \ No newline at end of property +1.19 \ No newline at end of property